Research On Network Security Technology In Software Defined Networks

In recent years,network attacks occur frequently and they cause serious consequences.Defending the security of network becomes a part of national security strategy.At the same time,the Software Defined Network(SDN)is emerging with the continuous development of big data,cloud computing and other new technologies.Because the traditional network attacks still have a strong threat to the SDN network,more and more scholars focus on attacks defense in SDN networks.However,there is not yet an accurate,fast,effective,lightweight security scheme.According to the classification of traditional network attacks,this thesis is committed to study defense mechanisms of illegal packets attack,distributed denial of service(DDoS)attack,and port scanning.In order to prevent the illegal packet attacks from harming the destination hosts/servers' system,this thesis proposes an illegal packets defense mechanism based on features-match,as every kind of illegal packets is highly specific.The mechanism extracts corresponding messages of the packet-in and matches attack signature database before the controller executes forwarding module.The simulation results show that the mechanism can identify the IP fragment attack and the Land attack accurately,and can block all attack packets at access switches.Because of the single point vulnerability of the SDN controller,DDoS attacks have great impact on SDN network.In order to detect the DDoS attacks with forged source IP addresses accurately,this thesis proposes an entropy-based DDoS defense mechanism(EDDM).The EDDM distinguishes abnormal flows by the descent of the entropy value of destination IP,and finds the attacker's location according to the correspondence between source MAC and source IP.Then,the thesis proposes the upgraded entropy-based DDoS defense mechanism(Upgraded-EDDM)to detect DDoS attacks with forged source MAC addresses,by the descent of the destination IP's entropy and the entropy value of ingress port is lower than source IP address.It can lock the attacker's location by the correspondence between the ingress ports and source MAC/source IPs.It is the first time to take the entropy value of ingress port as criteria of attack detection.The simulation results show that the Upgraded-EDDM can accurately identify the UDP Flood packets with forged source MACs,drop the attack flows at the edge of SDN network.Besides,its overall performance is better than EDDM.Distributed reflection denial service(DRDoS)attacks and port scanning have different characteristics on the entropy value variation of ingress port,destination IP and destination port number.As their defense mechanisms have similar processes of entropy calculations and abnormal detection as DDoS attacks,this thesis extends the Upgraded-EDDM to the Integrated-EADM scheme,which can identify and block multiple network attacks.The simulation results show that the Integrated-EADM can identify DRDoS attacks and TCP SYN scanning accurately,and block attack flows at source.